Search squid archive

Re: Squid Proxy Vulnerability.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Nov 29, 2007 4:36 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
> > Shouldn't this line override that?
> >
> >> http_access deny !Safe_ports
> >> http_access deny CONNECT !SSL_ports
> >
>
> It should be yes. But as your log provides it somehow is not.
>
> If you want to see exactly how it is done, try a wireshark/tcpdump trace
> on teh incoming traffic.

Done the above, but I couldn't replicate it myself...it was pretty strange.

> You should check that the proxy is using the squid.conf you think it is.
> The startup script is able to override the default file.

Yes, it is using the conf we were editing:

CONFIG=/etc/squid3/squid.conf

> Secondly, you should try a small re-configuration:
>
> If you need the proxy for internal users you should have a localnet ACL
> defining the local networks and:
>    http_access deny !localnet
>    http_access deny all

This proxy is for internal users in other countries.  Most of them
have dynamic IPs, so restricting to the IP block is rather difficult.

> Also for the accelerator portion, you should have explicit:
>   http_access allow sites_on_bradbury_ats_za
> next to each cache_peer_access.
>
> If it's a pure accelerator you should also have:
>   never_direct allow all
> to prevent any non-served traffic.

Good info, thank you.  That would probably get rid of our our open web
proxy (found some interesting sites in the log before it got hit by
the spammers).

> BTW: Which squid release is it?

This is 3.0.

Thanks for the assistance guys, if anyone else has more information,
I'm still open to hearing it.

> Amos
>
>
>
> >
> > On Nov 29, 2007 3:18 PM, Alexandre Correa <alexandre@xxxxxxxxxxxxxx>
> > wrote:
> >> check your config (http_access allow all) ...
> >>
> >>
> >> change it to
> >> http_access deny all
> >>
> >>
> >>
> >> On Nov 29, 2007 4:21 PM, Josh Fritts <reikoshea@xxxxxxxxx> wrote:
> >> > Hello,
> >> >
> >> > We got a notification from our ISP that our squid server was being
> >> > used to relay emails.
> >> >
> >> > We checked the logs and found 2.5 Million hits just like this snippit:
> >> >
> >> > ----------------------------------------------------------------------------
> >> >
> >> > 1196170398.384    837 64.237.46.55 TCP_MISS/200 222 CONNECT
> >> > 146.217.15.240:25 - DIRECT/146.217.15.240 -
> >> > 1196170398.656   8175 64.237.46.132 TCP_MISS/200 665 CONNECT
> >> > 216.157.254.253:25 - DIRECT/216.157.254.253 -
> >> > 1196170399.049   1132 64.237.46.55 TCP_MISS/200 165 CONNECT
> >> > 209.44.115.50:25 - DIRECT/209.44.115.50 -
> >> > 1196170399.201   4603 64.237.46.55 TCP_MISS/200 139 CONNECT
> >> > 62.148.180.192:25 - DIRECT/62.148.180.192 -
> >> > 1196170399.458  14482 64.237.46.132 TCP_MISS/200 224 CONNECT
> >> > 65.75.75.57:25 - DIRECT/65.75.75.57 -
> >> > 1196170400.072  10406 64.237.46.132 TCP_MISS/200 279 CONNECT
> >> > 127.0.0.1:25 - DIRECT/127.0.0.1 -
> >> > 1196170400.460   2044 208.167.225.68 TCP_MISS/200 444 CONNECT
> >> > 192.75.254.1:25 - DIRECT/192.75.254.1 -
> >> > 1196170400.486   9305 64.237.46.132 TCP_MISS/200 1343 CONNECT
> >> > 211.41.82.89:25 - DIRECT/211.41.82.89 -
> >> > 1196170400.662   6576 208.167.225.68 TCP_MISS/200 257 CONNECT
> >> > 64.18.4.10:25 - DIRECT/64.18.4.10 -
> >> > 1196170401.406  17183 64.237.46.132 TCP_MISS/200 2130 CONNECT
> >> > 195.50.106.135:25 - DIRECT/195.50.106.135 -
> >> > 1196170401.503    645 208.167.225.68 TCP_MISS/200 180 CONNECT
> >> > 216.32.180.22:25 - DIRECT/216.32.180.22 -
> >> > 1196170401.682    939 208.167.225.68 TCP_MISS/200 306 CONNECT
> >> > 216.9.208.251:25 - DIRECT/216.9.208.251 -
> >> > 1196170401.747  10433 64.237.46.132 TCP_MISS/200 279 CONNECT
> >> > 127.0.0.1:25 - DIRECT/127.0.0.1 -
> >> > 1196170401.775  10413 64.237.46.132 TCP_MISS/200 279 CONNECT
> >> > 127.0.0.1:25 - DIRECT/127.0.0.1 -
> >> > 1196170402.079    120 208.167.225.68 TCP_MISS/200 15 CONNECT
> >> > 17.148.20.66:25 - DIRECT/17.148.20.66 -
> >> > 1196170402.267   5056 208.167.225.68 TCP_MISS/200 245 CONNECT
> >> > 202.54.61.113:25 - DIRECT/202.54.61.113 -
> >> > 1196170403.291  31145 64.237.46.132 TCP_MISS/200 121 CONNECT
> >> > 62.40.36.103:25 - DIRECT/62.40.36.103 -
> >> > 1196170403.578   5218 208.167.225.68 TCP_MISS/200 273 CONNECT
> >> > 66.235.248.64:25 - DIRECT/66.235.248.64 -
> >> > 1196170403.707    810 208.167.225.68 TCP_MISS/200 452 CONNECT
> >> > 207.69.189.219:25 - DIRECT/207.69.189.219 -
> >> > 1196170404.115   1850 64.237.46.55 TCP_MISS/200 121 CONNECT
> >> > 202.78.116.253:25 - DIRECT/202.78.116.253 -
> >> > 1196170404.166   1502 208.167.225.68 TCP_MISS/200 250 CONNECT
> >> > 193.134.210.132:25 - DIRECT/193.134.210.132 -
> >> > 1196170404.208   4983 208.167.225.68 TCP_MISS/200 2060 CONNECT
> >> > 209.191.118.103:25 - DIRECT/209.191.118.103 -
> >> > 1196170404.249  30567 208.167.225.68 TCP_MISS/200 0 CONNECT
> >> > 64.29.222.22:25 - DIRECT/64.29.222.22 -
> >> > 1196170404.887   7863 64.237.46.55 TCP_MISS/200 2223 CONNECT
> >> > 209.191.88.247:25 - DIRECT/209.191.88.247 -
> >> > 1196170404.916    627 208.167.225.68 TCP_MISS/200 150 CONNECT
> >> > 208.97.132.73:25 - DIRECT/208.97.132.73 -
> >> > 1196170405.288  14668 64.237.46.132 TCP_MISS/200 3520 CONNECT
> >> > 211.115.216.226:25 - DIRECT/211.115.216.226 -
> >> > 1196170405.324   1670 64.237.46.52 TCP_MISS/200 249 CONNECT
> >> > 146.131.119.26:25 - DIRECT/146.131.119.26 -
> >> > 1196170405.659    882 64.237.46.55 TCP_MISS/200 159 CONNECT
> >> > 199.224.89.185:25 - DIRECT/199.224.89.185 -
> >> > 1196170405.917   1555 64.237.46.55 TCP_MISS/200 201 CONNECT
> >> > 204.10.18.136:25 - DIRECT/204.10.18.136 -
> >> > 1196170406.776  30671 64.237.46.55 TCP_MISS/200 0 CONNECT
> >> > 193.252.22.142:25 - DIRECT/193.252.22.142 -
> >> > 1196170407.099   6405 208.167.225.68 TCP_MISS/200 339 CONNECT
> >> > 216.219.253.216:25 - DIRECT/216.219.253.216 -
> >> > 1196170407.214  30834 64.237.46.132 TCP_MISS/200 164 CONNECT
> >> > 12.206.33.39:25 - DIRECT/12.206.33.39 -
> >> > 1196170407.446  30690 64.237.46.132 TCP_MISS/200 0 CONNECT
> >> > 80.95.172.3:25 - DIRECT/80.95.172.3 -
> >> > 1196170407.875   4719 64.237.46.55 TCP_MISS/200 1898 CONNECT
> >> > 204.15.82.30:25 - DIRECT/204.15.82.30 -
> >> > 1196170407.948   5745 64.237.46.55 TCP_MISS/200 404 CONNECT
> >> > 216.122.128.125:25 - DIRECT/216.122.128.125 -
> >> > 1196170407.969    217 208.167.225.68 TCP_MISS/200 0 CONNECT
> >> > 213.246.154.213:25 - DIRECT/213.246.154.213 -
> >> > 1196170408.043  17180 64.237.46.132 TCP_MISS/200 945 CONNECT
> >> > 207.88.96.47:25 - DIRECT/207.88.96.47 -
> >> > 1196170408.739  17415 64.237.46.132 TCP_MISS/200 2266 CONNECT
> >> > 192.43.228.202:25 - DIRECT/192.43.228.202 -
> >> > 1196170408.816  19751 208.167.225.68 TCP_MISS/200 2188 CONNECT
> >> > 66.196.97.250:25 - DIRECT/66.196.97.250 -
> >> > 1196170408.896   2385 64.237.46.55 TCP_MISS/200 253 CONNECT
> >> > 67.152.80.132:25 - DIRECT/67.152.80.132 -
> >> > 1196170409.017    693 64.237.46.55 TCP_MISS/200 108 CONNECT
> >> > 132.77.4.177:25 - DIRECT/132.77.4.177 -
> >> > 1196170409.112    779 64.237.46.55 TCP_MISS/200 436 CONNECT
> >> > 99.161.100.123:25 - DIRECT/99.161.100.123 -
> >> > 1196170409.400  10512 64.237.46.132 TCP_MISS/200 145 CONNECT
> >> > 203.181.255.19:25 - DIRECT/203.181.255.19 -
> >> > 1196170409.434     25 64.237.46.55 TCP_MISS/503 0 CONNECT
> >> > 63.73.11.8:25 - DIRECT/63.73.11.8 -
> >> > 1196170409.560   2179 208.167.225.68 TCP_MISS/200 135 CONNECT
> >> > 213.154.128.18:25 - DIRECT/213.154.128.18 -
> >> > 1196170409.621   5326 208.167.225.68 TCP_MISS/200 421 CONNECT
> >> > 65.220.11.24:25 - DIRECT/65.220.11.24 -
> >> > 1196170410.099    885 64.237.46.132 TCP_MISS/200 429 CONNECT
> >> > 64.18.4.13:25 - DIRECT/64.18.4.13 -
> >> > 1196170410.241   1800 64.237.46.55 TCP_MISS/200 411 CONNECT
> >> > 81.193.127.75:25 - DIRECT/81.193.127.75 -
> >> > 1196170410.388    852 208.167.225.68 TCP_MISS/200 87 CONNECT
> >> > 65.183.202.5:25 - DIRECT/65.183.202.5 -
> >> > 1196170410.517    512 64.237.46.55 TCP_MISS/200 369 CONNECT
> >> > 129.179.7.249:25 - DIRECT/129.179.7.249 -
> >> > 1196170411.091   2823 64.237.46.55 TCP_MISS/200 489 CONNECT
> >> > 194.25.134.8:25 - DIRECT/194.25.134.8 -
> >> > 1196170411.716   1678 208.167.225.68 TCP_MISS/200 421 CONNECT
> >> > 67.139.199.68:25 - DIRECT/67.139.199.68 -
> >> > 1196170411.719   7196 208.167.225.68 TCP_MISS/200 2266 CONNECT
> >> > 74.128.0.19:25 - DIRECT/74.128.0.19 -
> >> > 1196170412.230   2212 64.237.46.55 TCP_MISS/200 409 CONNECT
> >> > 202.216.228.86:25 - DIRECT/202.216.228.86 -
> >> > 1196170412.380      8 64.237.46.55 TCP_MISS/503 0 CONNECT
> >> > 207.44.208.37:25 - DIRECT/207.44.208.37 -
> >> > 1196170412.384   2676 64.237.46.55 TCP_MISS/200 204 CONNECT
> >> > 193.86.123.25:25 - DIRECT/193.86.123.25 -
> >> > 1196170412.538  30581 64.237.46.132 TCP_MISS/200 0 CONNECT
> >> > 206.46.232.11:25 - DIRECT/206.46.232.11 -
> >> > 1196170413.732   1078 64.237.46.55 TCP_MISS/200 347 CONNECT
> >> > 71.40.47.7:25 - DIRECT/71.40.47.7 -
> >> > 1196170413.804  30987 64.237.46.132 TCP_MISS/200 286 CONNECT
> >> > 64.18.7.10:25 - DIRECT/64.18.7.10 -
> >> > 1196170413.908   1745 64.237.46.55 TCP_MISS/200 255 CONNECT
> >> > 158.39.31.190:25 - DIRECT/158.39.31.190 -
> >> > 1196170413.910  31616 64.237.46.132 TCP_MISS/200 180 CONNECT
> >> > 194.88.228.80:25 - DIRECT/194.88.228.80 -
> >> > 1196170414.076    850 64.237.46.55 TCP_MISS/200 341 CONNECT
> >> > 63.254.35.250:25 - DIRECT/63.254.35.250 -
> >> > 1196170414.404   5472 208.167.225.68 TCP_MISS/200 300 CONNECT
> >> > 65.215.152.148:25 - DIRECT/65.215.152.148 -
> >> > 1196170415.526   1812 64.237.46.55 TCP_MISS/200 328 CONNECT
> >> > 209.139.247.226:25 - DIRECT/209.139.247.226 -
> >> > 1196170415.596    929 208.167.225.68 TCP_MISS/200 257 CONNECT
> >> > 64.18.6.13:25 - DIRECT/64.18.6.13 -
> >> > 1196170415.607    742 64.237.46.55 TCP_MISS/200 432 CONNECT
> >> > 63.255.0.140:25 - DIRECT/63.255.0.140 -
> >> > 1196170416.001  59441 64.237.46.132 TCP_MISS/503 0 CONNECT
> >> > 194.193.14.235:25 - DIRECT/194.193.14.235 -
> >> > 1196170416.118    426 208.167.225.68 TCP_MISS/200 311 CONNECT
> >> > 206.54.145.17:25 - DIRECT/206.54.145.17 -
> >> > 1196170416.484     50 64.237.46.55 TCP_MISS/503 0 CONNECT
> >> > 162.40.15.200:25 - DIRECT/162.40.15.200 -
> >> > 1196170416.604    768 208.167.225.68 TCP_MISS/200 443 CONNECT
> >> > 70.62.222.50:25 - DIRECT/70.62.222.50 -
> >> > 1196170416.682   1210 64.237.46.55 TCP_MISS/200 241 CONNECT
> >> > 194.159.138.87:25 - DIRECT/194.159.138.87 -
> >> > 1196170417.010  59063 64.237.46.132 TCP_MISS/503 0 CONNECT
> >> > 68.142.202.247:25 - DIRECT/68.142.202.247 -
> >> > 1196170417.169    964 64.237.46.55 TCP_MISS/200 215 CONNECT
> >> > 198.96.180.81:25 - DIRECT/198.96.180.81 -
> >> > 1196170417.352    797 208.167.225.68 TCP_MISS/200 231 CONNECT
> >> > 80.168.70.65:25 - DIRECT/80.168.70.65 -
> >> > 1196170417.377   1073 208.167.225.68 TCP_MISS/200 318 CONNECT
> >> > 69.20.101.219:25 - DIRECT/69.20.101.219 -
> >> > 1196170417.649  30692 208.167.225.68 TCP_MISS/200 0 CONNECT
> >> > 194.106.221.130:25 - DIRECT/194.106.221.130 -
> >> > 1196170418.282  30006 64.237.46.132 TCP_MISS/200 1994 CONNECT
> >> > 209.191.88.247:25 - DIRECT/209.191.88.247 -
> >> > 1196170418.505  25804 208.167.225.68 TCP_MISS/200 723 CONNECT
> >> > 204.127.217.16:25 - DIRECT/204.127.217.16 -
> >> > 1196170418.884   1374 64.237.46.55 TCP_MISS/200 342 CONNECT
> >> > 205.174.162.116:25 - DIRECT/205.174.162.116 -
> >> > 1196170419.099  31938 64.237.46.132 TCP_MISS/200 193 CONNECT
> >> > 216.86.100.72:25 - DIRECT/216.86.100.72 -
> >> > 1196170419.181  30630 64.237.46.132 TCP_MISS/200 0 CONNECT
> >> > 12.43.220.7:25 - DIRECT/12.43.220.7 -
> >> > 1196170419.614   1078 208.167.225.68 TCP_MISS/200 407 CONNECT
> >> > 75.126.136.142:25 - DIRECT/75.126.136.142 -
> >> > 1196170419.659   1339 208.167.225.68 TCP_MISS/200 257 CONNECT
> >> > 64.18.6.14:25 - DIRECT/64.18.6.14 -
> >> > 1196170419.850    733 208.167.225.68 TCP_MISS/200 336 CONNECT
> >> > 24.173.119.6:25 - DIRECT/24.173.119.6 -
> >> > 1196170419.936   5533 208.167.225.68 TCP_MISS/200 174 CONNECT
> >> > 203.112.24.188:25 - DIRECT/203.112.24.188 -
> >> > 1196170420.102   4395 208.167.225.68 TCP_MISS/200 166 CONNECT
> >> > 216.229.67.195:25 - DIRECT/216.229.67.195 -
> >> > 1196170420.964  30718 64.237.46.132 TCP_MISS/200 0 CONNECT
> >> > 195.252.127.36:25 - DIRECT/195.252.127.36 -
> >> > 1196170421.105   1115 208.167.225.68 TCP_MISS/200 105 CONNECT
> >> > 204.101.14.165:25 - DIRECT/204.101.14.165 -
> >> > 1196170421.114    574 208.167.225.68 TCP_MISS/200 192 CONNECT
> >> > 84.96.93.166:25 - DIRECT/84.96.93.166 -
> >> > 1196170421.410   1829 208.167.225.68 TCP_MISS/200 234 CONNECT
> >> > 195.76.174.39:25 - DIRECT/195.76.174.39 -
> >> > 1196170421.602    171 208.167.225.68 TCP_MISS/200 78 CONNECT
> >> > 24.71.223.11:25 - DIRECT/24.71.223.11 -
> >> > 1196170421.848    155 208.167.225.68 TCP_MISS/200 78 CONNECT
> >> > 24.71.223.11:25 - DIRECT/24.71.223.11 -
> >> > 1196170421.858    645 64.237.46.55 TCP_MISS/200 328 CONNECT
> >> > 69.20.116.136:25 - DIRECT/69.20.116.136 -
> >> > 1196170421.957     59 64.237.46.55 TCP_MISS/200 0 CONNECT
> >> > 64.18.5.10:25 - DIRECT/64.18.5.10 -
> >> > 1196170422.101  30770 64.237.46.132 TCP_MISS/200 0 CONNECT
> >> > 203.135.130.131:25 - DIRECT/203.135.130.131 -
> >> > 1196170422.298  17913 64.237.46.55 TCP_MISS/200 577 CONNECT
> >> > 168.95.5.19:25 - DIRECT/168.95.5.19 -
> >> > 1196170422.551   1265 208.167.225.68 TCP_MISS/200 268 CONNECT
> >> > 218.5.77.18:25 - DIRECT/218.5.77.18 -
> >> > 1196170422.723     37 64.237.46.55 TCP_MISS/503 0 CONNECT
> >> > 208.4.52.29:25 - DIRECT/208.4.52.29 -
> >> > 1196170423.019    197 208.167.225.68 TCP_MISS/200 334 CONNECT
> >> > 65.54.244.8:25 - DIRECT/65.54.244.8 -
> >> >
> >> > ----------------------------------------------------------------------------
> >> >
> >> > As you can see thats nearly 100 hits in 8 seconds.  I know this is
> >> > come kind of tool, but I cannot figure out a way to reproduce these
> >> > results.
> >> >
> >> > Our conf for this server is as follows (Host Names and IP addresses
> >> > have been changed incase our other servers are also vulnerable):
> >> >
> >> > ----------------------------------------------------------------------------
> >> >
> >> > http_port 3128
> >> > icp_port 3130
> >> >
> >> >
> >> > cache_dir ufs /var/spool/squid3 100 16 256
> >> > debug_options ALL,9
> >> >
> >> > cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER
> >> > no-query no-digest login=PASS originserver name=bradbury_ats_za
> >> > cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER
> >> > no-query no-digest login=PASS originserver name=weasel_ats
> >> > cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER
> >> > no-query no-digest login=PASS originserver name=reynolds_ats
> >> > cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER
> >> > no-query no-digest login=PASS originserver name=asimov_ats
> >> >
> >> >
> >> > acl sites_on_bradbury_ats_za dstdomain stuff.us.com
> >> > acl sites_on_weasel_ats dstdomain stuff2.us.com
> >> > acl sites_on_reynolds_ats dstdomain stuff3.us.com
> >> > acl sites_on_reynolds_ats dstdomain stuff4.us.com
> >> > acl sites_on_asimov_ats dstdomain stuff5.us.com
> >> > acl sites_on_asimov_ats dstdomain stuff6.us.com
> >> > acl sites_on_asimov_ats dstdomain stuff7.us.com
> >> >
> >> > cache_peer_access bradbury_ats_za allow sites_on_bradbury_ats_za
> >> > cache_peer_access weasel_ats allow sites_on_weasel_ats
> >> > cache_peer_access reynolds_ats allow sites_on_reynolds_ats
> >> > cache_peer_access asimov_ats allow sites_on_asimov_ats
> >> >
> >> >
> >> > acl all src 0.0.0.0/0.0.0.0
> >> > acl localhost src 127.0.0.1/255.255.255.255
> >> > acl to_localhost dst 127.0.0.0/8
> >> > acl SSL_ports port 443
> >> > acl Safe_ports port 80          # http
> >> > acl Safe_ports port 443         # https
> >> > acl CONNECT method CONNECT
> >> > http_access deny !Safe_ports
> >> > http_access deny CONNECT !SSL_ports
> >> >
> >> > http_access allow all
> >> > icp_access allow all
> >> >
> >> >
> >> > coredump_dir /var/spool/squid3
> >> >
> >> >
> >> > httpd_suppress_version_string on
> >> > visible_hostname proxy-us.hrsmart.com
> >> >
> >> > ----------------------------------------------------------------------------
> >> >
> >> > Anyone have any idea how this was being done?  If so please respond to
> >> > the list.  If you know how to do this, I would appreciate a way to
> >> > reproduce this for my superiors.
> >> >
> >>
> >>
> >>
> >> --
> >>
> >> Sds.
> >> Alexandre J. Correa
> >> Onda Internet / OPinguim.net
> >> http://www.ondainternet.com.br
> >> http://www.opinguim.net
> >>
> >
>
>
>

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux